Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Collector/Forwarder

fisk12
Path Finder
‎04-25-2011 01:13 PM

Say for example i have a environment that is being split into two different networks (routed through different firewalls) I have my "main" splunk server on one of the network. Is is possible to use one or more splunk instance as "collectors" on the other net and send it to the main splunk server. I rather don't want to set up routing/firewalls opening more then absolutely necessary.

0 Karma
Reply

fisk12
Path Finder
‎04-25-2011 02:57 PM

Cool, so basically i just have to set the servers on Net a to send their stuff to "Box A" and then just set "Box A" as a forwarder and send its stuff to box B?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎04-25-2011 01:30 PM

You can absolutely set up a firewall between separate subnets, but as with anything IP based, you're going to need firewall rules to allow it. If you set up a forwarder in subnet A, it's going to forward to whatever port you define in your inputs.conf on the indexer (and outputs.conf on the forwarder). You can set whatever port you want, though, so it will you don't need to allow TCP Any, or port 80/443, or etc. You could, say, use port 12345, which is nice and distinct for firewall admins.

Reply

David
Splunk Employee
Splunk Employee
‎04-25-2011 02:40 PM

Ah ha, gotcha. Unless you're sending obscenely large amounts of data, or have an obscenely underpowered box in Net A, that should work fine. Forwarding is very resource light, so you can have a local forwarder send everything to the main box. Just note that you have to have the box in Net A be a forwarder, rather than an indexer. You can't double-index the data, unless you have the licensing to support it.

0 Karma
Reply

fisk12
Path Finder
‎04-25-2011 01:41 PM

Yeah well im also doing a big part of the firewall stuff myself so i know about that stuff. What i meant was if its working good to have some servers on Net A send their stuff to a smaller splunk server on net A, that server then sends it stuff to the "real" splunk server on net B. With that i only have the static route between the two splunk servers configured, insted of the hole net A- Net B.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...